- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Code injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program. When that code is interpreted and executed by the application, Code Injection can cause data loss or corruption, lack of accountability, denial of access, and even a complete host takeover.
These types of attacks are usually made possible due to an application’s lack of proper input/output data validation. Code injection differs from command injection in that an attacker is only limited by the functionality of the injected language itself. For example, if an attacker is able to inject PHP code into an application and have it executed, that injection is only limited by what PHP is capable of.
Code Injection is often achieved through vulnerable frameworks that an application may deploy, such as Drupal or Apache Struts, rather than through code written in-house. This makes it especially important to keep these framework packages up-to-dateup to date with the latest security patches.